<div dir="ltr"><div><span id="gmail-result_box" class="gmail-" lang="en"><span class="gmail-">Hi,<br></span></span></div><div><span id="gmail-result_box" class="gmail-" lang="en"><span class="gmail-"><br>I need your advice.<br><br>I have a transparent proxy running with the self generated certificates 'myCA.pem', as it is not signed by a valid entity then I have to import the 'myCA.der' certificate in all web browsers ...<br><br>I want to know where I can buy a valid certificate that work in Squid.</span><span class="gmail-"></span></span></div><div><div><div><br></div><div>PD:<br></div><div>The proxy is working great<br></div><div><br><br>----------------------------------------------------------------------------------------------<br></div><div>Important information for clarity (FreeBSD, squid-3.5.23 and PF):<br><br></div><div>Create self-signed certificate for Squid server<br><br># openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out /usr/local/etc/squid/ssl_cert/myCA.pem -config /usr/local/etc/squid/ssl_cert/openssl.cnf<br><br># openssl dhparam -outform PEM -out /usr/local/etc/squid/ssl_cert/dhparam.pem 2048<br><br>Create a DER-encoded certificate to import into users' browsers<br><br># openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out /usr/local/etc/squid/ssl_cert/myCA.der<br><br><br></div><div># edit /usr/local/etc/squid/squid.conf<br>...<br># Squid normally listens to port 3128<br>http_port 3128<br><br># Intercept HTTPS CONNECT messages with SSL-Bump<br>#<br>http_port 3129 ssl-bump intercept \<br> cert=/usr/local/etc/squid/ssl_cert/myCA.pem \<br> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \<br> dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem<br>#<br>https_port 3130 ssl-bump intercept \<br> cert=/usr/local/etc/squid/ssl_cert/myCA.pem \<br> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \<br> dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem<br>#<br>sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl_db -M 4MB<br>#<br>acl step1 at_step SslBump1<br>#<br>ssl_bump peek step1<br>ssl_bump stare all<br>ssl_bump bump all<br>always_direct allow all<br>#<br>sslproxy_cert_error allow all<br>sslproxy_flags DONT_VERIFY_PEER<br> </div><div>...<br><br></div><div>PF redirect the traffic to the Squid<br><br># edit /etc/pf.conf<br>...<br># Intercept HTTPS CONNECT messages with SSL-Bump<br>rdr pass on $int_if inet proto tcp from any to port https \<br> -> 127.0.0.1 port 3130<br>rdr pass on $int_if inet6 proto tcp from any to port https \<br> -> ::1 port 3130<br></div><div>...<br>----------------------------------------------------------------------------------------------<br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Ángel Villa G.<br>US +1 (786) 233-9240 | CO +57 (300) 283-6546<br><a href="mailto:angelvg@gmail.com" target="_blank">angelvg@gmail.com</a><br><a href="https://google.com/+AngelVillaG" target="_blank">https://google.com/+AngelVillaG</a><br><a href="https://angelcontents.blogspot.com" target="_blank">https://angelcontents.blogspot.com</a><br><br>"We are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further" - Richard Dawkins</div></div></div>
</div></div></div></div>